Data & Security Overview
Last modified: 12/31/2022
security@everyspacehq.com

Services Provided by Everyspace

Data Governance

What personal or sensitive information does Everyspace collect, store, or use?

To balance the right user experience with the respect of personal privacy, Everyspace only collects the minimum amount of information required to keep the service operational. For our services, we need the following data to provide a great event experience for users.

Data collected includes:

• Full name
• Email address
• Photo (if available)

Data collected by 3rd party vendors (unless opted out):

• IP addresses
• Page views
• Click actions
• Email addresses

What 3rd party vendors are used?

Name	Usage	Data collected	Opt-out available
Google Analytics	Anonymized page analytics	IP addresses Page views Click actions	Yes
Intercom	Customer support portal	IP addresses Page views Email addresses	Yes

How do we handle data protection and privacy?

We apply industry best practices to protect against the OWASP 10. Direct access to our production database is limited to need-to-have employees.

Is data ever provided to 3rd parties?

Other than the services mentioned above, we never share data with 3rd parties.

Is Everyspace GDPR compliant?

Yes. We comply with all requirements set forth by GDPR for all EU-based and non-EU-based companies.

Can we request permanent data deletion?

Yes. At the request of an authorized party, we support full deletion of all company data from our systems. We keep an anonymized log of deletion requests so we can delete from backups in the very rare event of a data restore.

Are Everyspace employees subject to NDAs?

Yes. All employees and contractors sign a confidentiality and invention assignment agreement as a condition of their employment. A copy of this agreement can be provided upon request.

Information Technology and Information Security

Where are data and services hosted?

Everyspace is hosted on Google Cloud Platform (GCP). All authentication mechanisms are hosted securely via their Identity Platform.

What is the physical security of data centers?

GCP is an industry leader in server security, which you can read about in their Privacy and Security Overview.

How is data secured in transit?

Data is always secured and encrypted in transit via HTTPS and TLS encryption.

How is data secured at rest?

Data is encrypted at rest under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys.

How are secrets managed?

All secrets are encrypted through Google Cloud Key Management system. Secrets are injected into applications using SOPS, meaning keys are never exposed in plaintext. Most secrets are automatically rotated every 6 months.

What development practices are used?

We apply industry best practices to protect against the OWASP 10, and we review these practices quarterly. Direct access to our production database is limited to need-to-have employees.

SOC2 attestation of compliance

We are working with a certified outside auditor to achieve SOC2 compliance, and expect to achieve this in Q4 2022.

How are incidents handled?

In the event of a data loss, we have a comprehensive Data Recovery Process that the engineering team will follow. In the event of a data breach, we will immediately notify any affected clients and provide details of any exposed information.

Is there a data backup policy?

Yes. Our primary database is replicated to a hot standby and a nightly snapshot is taken.

What logs are stored?

We store logs of API requests and errors in our console. These are stored for 30 days, and they do not include any personally identifying information or private keys. These logs can be provided upon request.

How can we get further information?

You can reach out to our security team by contacting security@everyspacehq.com.